In CDP, a Data Lake is a service for creating a protective ring of security and governance around your data, whether the data is stored in cloud object storage or HDFS.
The Data Lake provides a way for you to create, apply, and enforce user authentication and authorization and to collect audit and lineage metadata from across multiple ephemeral workload clusters. When you start a workload cluster in the context of a CDP environment, the workload cluster is automatically "attached" with the security and governance infrastructure of the Data Lake. "Attaching" your workload resources to the Data Lake instance allows the attached cluster workloads to access data and run in the security context provided by the Data Lake.
A Data Lake cluster includes Apache Knox. Knox provides a protected gateway for access to Data Lake UIs. Knox is also installed on all workload clusters, providing a protected gateway for access to cluster UIs.
While workloads can be short-lived, the security policies around your data schema are long-running and shared for all workloads. The Data Lake instance provides consistent and available security policy definitions that are available for current and future ephemeral workloads. All information related to metadata, policies, and audits is stored on external locations (external databases and cloud storage).
The Data Lake stores its metadata, policies, and audits in external databases and cloud storage, reducing the resource footprint on the cluster.
The following technologies provide capabilities for the Data Lake:
|Schema||Apache Hive Metastore||Provides Hive schema (tables, views, and so on). If you have two or more workloads accessing the same Hive data, you need to share schema across these workloads.|
|Authorization Policies||Apache Ranger||Defines security policies around Hive schema. If you have two or more users accessing the same data, you need security policies to be consistently available and enforced.|
|Audit Tracking||Apache Ranger||Audits user access and captures data access activity for the workloads.|
|Governance||Apache Atlas||Provides metadata management and governance capabilities.|
|Security Gateway||Apache Knox||Supports a single workload endpoint that can be protected with SSL and enabled for authentication to access to resources.|